Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking the Box (Joseph Sheridan)

Chris Cooper
July 11, 2012
Technology
1
270

Hacking the Box (Joseph Sheridan)

Speaker: Joseph Sheridan (http://goo.gl/9cMJ8)
Slides by Chris Cooper and Joseph Sheridan.

Penetration tester and ethical hacker Joseph Sheridan takes you through some of the day-to-day hacks utilised during a security engagement.

Presented at #Digibury 007.
http://deeson-online.co.uk/digibury/007

Chris Cooper

July 11, 2012
Tweet

More Decks by Chris Cooper

See All by Chris Cooper
The Digital Hostage: Ransomware in the Workplace
itscooper
0
100
People Security and Social Engineering
itscooper
0
110
Keeping Your Data Secure: A Guide for Human Beings
itscooper
0
180
E-Safety: How technology can protect us from technology
itscooper
0
310
Social Engineering: How to Rob a Bank with a Phone
itscooper
0
190
The Cookie Monster (and other web security exploits)
itscooper
2
320
Breaking Stuff: What Ethical Hacking Has Taught Me
itscooper
1
140

Other Decks in Technology

See All in Technology
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
410
小さな開発会社がWebサービスを作る理由
polidog
PRO
1
160
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
830
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
350
シン・Kafka / shin-kafka
oracle4engineer
PRO
8
2.7k
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
3
100
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
110
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
350
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
220
20240416_devopsdaystokyo
kzkmaeda
1
190
Oracle Cloud Infrastructure:2024年4月度サービス・アップデート
oracle4engineer
PRO
1
120
日本におけるデータエンジニアリングのこれまでとこれから
foursue
14
2.6k

Featured

See All Featured
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Music & Morning Musume
bryan
41
5.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
321
20k
Building Applications with DynamoDB
mza
88
5.6k
Faster Mobile Websites
deanohume
297
30k
Code Review Best Practice
trishagee
54
15k
The Cult of Friendly URLs
andyhume
74
5.7k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
The Art of Programming - Codeland 2020
erikaheidi
41
12k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k

Transcript

  1. hacking the

  2. [email protected] Joseph Sheridan Started Reaction in 2009 Locally based CESG

    CHECK registered

  3. penetration testing aka ethical hacking, pentesting, white hat hacking etc…

    introduction What is penetration testing? What will be covered today?

  4. penetration testing aka ethical hacking, pentesting, white hat hacking etc…

    Services • Network infrastructure • Web apps • Host build reviews • Wireless networks • Database security

  5. HACKING MAINFRAME THE testing network infrastructure

  6. domain admin in under 30mins guess passwords the easy way

    in? < this actually happens password policy

  7. the easy way in? the awful passwords we find: Blank

    • SQL Server • Gary McKinnon blank root pentagon Password01 Company name Football team Swear words Their own username

  8. more easiness look for unpatched servers e.g. how about an

    internet-facing host with no firewall and missing critical security patches MS04-011 MS06-040 MS08-067 MS09-050 / LSASS / Canonicalisation / Netapi / Negotiate Function Table

  9. MS09-050 owned over the internet

  10. password cracking dictionary attack brute-force rainbow tables

  11. None

  12. sharing != caring when you have found a password for…

    oh, say a local administrator account chances of another account having the same password = HIGH

  13. HACKING INTERNET THE testing web applications

  14. user enumeration knowing a list of users makes brute-forcing significantly

    easier
  15. None

  16. stale cookies a user’s account is session only as secure

    as his token

  17. stale cookies e.g. once upon a time, we found the

    following session token… MDEzODM0MDg4NzM= which translates from Base64 to… 0 1 3 8 3 4 0 8 8 7 3 always zero random sequential (every login) get any active session by enumerating through 9999 values (approx 10mins in this case)
  18. None

  19. xss <p>No results found for <?=$_GET[“search"]?></p> http://mysite.com/?search=

  20. xss <p>No results found for <?=$_GET[“search"]?></p> http://mysite.com/?search= payload: <script>alert(‘xsstest’)</script>

  21. xss <p>No results found for <?=$_GET[“search"]?></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

  22. xss <p>No results found for <script>alert(‘xsstest’) </script></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

  23. xss <p>No results found for <script>alert(‘xsstest’) </script></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

    xsstest Alert!

  24. SQLi Enter your username and password: Go! $query = “SELECT

    id FROM users WHERE uname=‘ ’ “ . $username . “ AND pword=‘ “ . $password . “ ’” joebloggs *********

  25. SQLi joebloggs Enter your username and password: Go! $query =

    “SELECT id FROM users WHERE uname=‘ ’ ********* joebloggs AND pword=‘ ‘ OR 1=1# ’”

  26. SQLi joebloggs Enter your username and password: Go! $query =

    “SELECT id FROM users WHERE uname=‘joebloggs’ ********* AND pword=‘‘ OR 1=1#’”

  27. blind SQLi ‘ and if(substring((SELECT pword FROM users WHERE uname='admin‘),

    1, 1)=‘a’, benchmark(500000, MD5(‘!’)), 0)

  28. blind SQLi

  29. HACKING PEOPLE social engineering

  30. phishing From: Company IT Helpdesk <[email protected]> To: Fred Jones <[email protected]>

    Subject: IT Helpdesk Important Information – Action Required Dear Fred, We have detected suspicious activity relating to your Company account. As a precaution, we require you to verify your details using the password management system. Failure to do so may result in revocation of your user rights. Please copy and paste the following URL into your browser: http://security.company.com/pm/?verify=982364925874578955 IT Dept. Company [email protected] This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited. Please consider the environment before printing this email.

  31. phishing users were directed to a mirrored login on our

    server how many fell for it? 9 /60

  32. USB drop could be preloaded with malware or spawn outgoing

    connections leave them lying around / curiosity hand them in to receptionist / helpfulness

  33. EXPLOITS: researching software vulnerabilities THE MAKING OF

  34. buffer overflows ScriptFu console

  35. None

  36. buffer overflows

  37. overflows buffer • return address • shellcode exploit contains:

  38. THE [email protected] reaction information security, canterbury